From a06f593282947a490cc23d1186eddfdd4774f790 Mon Sep 17 00:00:00 2001
From: W <kuhnen@science.ru.nl>
Date: Mon, 24 Oct 2016 16:58:13 +0200
Subject: [PATCH] work on v3
---
report/v3_session.tex | 50 +++++++++++++++++++++++++++-----------
report/v7_cryptography.tex | 1 +
2 files changed, 37 insertions(+), 14 deletions(-)
diff --git a/report/v3_session.tex b/report/v3_session.tex
index 5b1f207..d6dab6c 100644
--- a/report/v3_session.tex
+++ b/report/v3_session.tex
@@ -1,64 +1,86 @@
\begin{enumerate}[label={3.\arabic*}]
\item
- \pass
+ \pass{}
Verify that there is no custom session manager, or that the custom session
manager is resistant against all common session management attacks.
\begin{result}
- The application uses the standard \PHP functionality;
- \code{session_start()} to manage sessions.
+ The application uses the standard \PHP{} functionality; namely
+ \code{session\_start ()} to manage sessions.
\end{result}
\item
- \pass
+ \pass{}
Verify that sessions are invalidated when the user logs out.
\begin{result}
- When a user logs out the application calls \code{forget()}, which destroys
- the session.
+ When a user logs out the application calls \code{forget()}, which
+ invalidates the session.
\end{result}
\item
- \fail
+ \fail{}
Verify that sessions timeout after a specified period of inactivity.
\begin{result}
- There is no functionality which tracks how long a user has been inactive.
+ There is absolutely no functionality which tracks how long a user has been inactive.
\end{result}
- \notapplicable{
+ \notapplicable{%
\item
Verify that sessions timeout after an administratively-configurable
maximum time period regardless of activity (an absolute timeout).
}
\item
- \TODO{}
+ \pass{}
Verify that all pages that require authentication have easy and visible
access to logout functionality.
+ \begin{result}
+ The logout functionality is plainly visible on the top right of the
+ application on every page that requires authentication. This is defined in
+ \srcref{admin/themes/header.php}{16-30}
+ \end{result}
+
\item
- \TODO{}
+ \pass{}
Verify that the session id is never disclosed in URLs, error messages, or
logs. This includes verifying that the application does not support URL
rewriting of session cookies.
+ \begin{result}
+ The session id is only used inside the cookie. And the \PHP{}
+ \code{\$\_SESSION} variable is never accessed outside of session
+ management in \srcref{sessions.php}{}.
+ \end{result}
+
\item
- \TODO{}
+ \fail{}
Verify that all successful authentication and re-authentication generates
a new session and session id.
+ \begin{result}
+ The application does not destroy the session id upon logout, it merely
+ invalidates it. \PHP{}'s % HOWEVER!
+ \end{result}
+
- \notapplicable{
+ \notapplicable{%
\item
Verify that only session ids generated by the application framework are
recognized as active by the application.
}
\item
- \TODO{}
+ \pass{}
Verify that session ids are sufficiently long, random and unique across the
correct active session base.
+ \begin{result}
+ The session ids are generated by \PHP{} trough the \code{session\_start}
+ function. These are indeed sufficiently long, random and unique.
+ \end{result}
+
\item
\TODO{}
diff --git a/report/v7_cryptography.tex b/report/v7_cryptography.tex
index b2a3876..293dd19 100644
--- a/report/v7_cryptography.tex
+++ b/report/v7_cryptography.tex
@@ -1,3 +1,4 @@
+% usage of crypt()
\begin{enumerate}[label={7.\arabic*}]
\addtocounter{enumi}{1}
--
2.20.1